05 October 2015
Getting Open LDAP working on Centos 6 was a painful experience for me. The syntax of the config files and the way you load users etc - none of it seemed obvious. I got it working, as least as far as a POC environment goes, and have produced this post in the hope it saves someone else some pain.
$ yum install -y openldap openldap-clients openldap-servers
Some older posts on the web talk about /etc/sladp.conf, which doesn't seem to exists any more. All the config is within /etc/openldap/slapd.d in several cryptic files.
First pick what domain you want your 'dc' (domain component) to be, I am using appsintheopen.
Then generate a hash for the ldap root password (copy the value as you will need it in a moment):
$ slappasswd
New password:
Re-enter new password:
{SSHA}ST60lR0GBhedeMm+70nJV00VzKjtyxwp
There are a few lines to add and change in this file.
Find the line for olcSuffix, and change it (or add if it does not exist):
# /etc/openldap/slapd.d/cn=config/olcDatabase={2}bdb.ldif
olcSuffix: dc=appsintheopen,dc=com
Find the line olcRootDN:
# /etc/openldap/slapd.d/cn=config/olcDatabase={2}bdb.ldif
olcRootDN: cn=Manager,dc=appsintheopen,dc=com
Add a line for the password generated above:
# /etc/openldap/slapd.d/cn=config/olcDatabase={2}bdb.ldif
olcRootPW: {SSHA}ST60lR0GBhedeMm+70nJV00VzKjtyxwp
Add the following two lines to the bottom of the file - this will let a user update their own password later:
# /etc/openldap/slapd.d/cn=config/olcDatabase={2}bdb.ldif
olcAccess: {0}to attrs=userPassword by self write by dn.base="cn=Manager,dc=appsintheopen,dc=com" write by anonymous auth by * none
olcAccess: {1}to * by dn.base="cn=Manager,dc=appsintheopen,dc=com" write by self write by * read
You can test the config is OK with the following command:
$ slaptest -u
Ignore any checksum errors.
Now you can startup the ldap server (and configure it to come up at boot time):
$ service slapd start $ chkconfig --levels=345 slapd on
Next, you need to create the overall organisation, users and groups entries in the ldap hierarchy. To do this create a file like the following (/tmp/base.ldif). Note the blank lines in the file are important!
dn: dc=appsintheopen,dc=com
objectClass: dcObject
objectClass: organization
o: appsintheopen.com
dc: appsintheopen
dn: ou=users,dc=appsintheopen,dc=com
objectClass: organizationalUnit
objectClass: top
ou: users
dn: ou=groups,dc=appsintheopen,dc=com
objectClass: organizationalUnit
objectClass: top
ou: groups
Now add the config you created in that file:
ldapadd -x -W -D "cn=Manager,dc=appsintheopen,dc=com" -f base.ldif
Enter LDAP Password:
adding new entry "dc=appsintheopen,dc=com"
adding new entry "ou=users,dc=appsintheopen,dc=com"
adding new entry "ou=groups,dc=appsintheopen,dc=com"
Now you can query the ldap server to ensure it returns the objects you just added:
$ ldapsearch -x -W -D "cn=Manager,dc=appsintheopen,dc=com" -b "dc=appsintheopen,dc=com" "(objectclass=*)"
To add users to the LDAP server, you need to create files similar to the above and add them using the same command as above. For instance, I will create a few groups - staff, hadoop-admin, hadoop-users, create a couple of users and assign them to the groups.
dn: cn=staff,ou=groups,dc=appsintheopen,dc=com
objectClass: top
objectClass: posixGroup
gidNumber: 1000
dn: cn=hadoop-users,ou=groups,dc=appsintheopen,dc=com
objectClass: top
objectClass: posixGroup
gidNumber: 1001
dn: cn=hadoop-admin,ou=groups,dc=appsintheopen,dc=com
objectClass: top
objectClass: posixGroup
gidNumber: 1002
dn: uid=sam,ou=users,dc=appsintheopen,dc=com
objectClass: top
objectClass: account
objectClass: posixAccount
objectClass: shadowAccount
cn: sam
uid: sam
uidNumber: 20000
gidNumber: 1000
homeDirectory: /home/sam
loginShell: /bin/bash
gecos: sam
userPassword: {crypt}x
shadowLastChange: 0
shadowMax: 0
shadowWarning: 0
dn: uid=bob,ou=users,dc=appsintheopen,dc=com
objectClass: top
objectClass: account
objectClass: posixAccount
objectClass: shadowAccount
cn: bob
uid: bob
uidNumber: 20001
gidNumber: 1000
homeDirectory: /home/bob
loginShell: /bin/bash
gecos: bob
userPassword: {crypt}x
shadowLastChange: 0
shadowMax: 0
shadowWarning: 0
dn: uid=jim,ou=users,dc=appsintheopen,dc=com
objectClass: top
objectClass: account
objectClass: posixAccount
objectClass: shadowAccount
cn: jim
uid: jim
uidNumber: 20002
gidNumber: 1000
homeDirectory: /home/jim
loginShell: /bin/bash
gecos: jim
userPassword: {crypt}x
shadowLastChange: 0
shadowMax: 0
shadowWarning: 0
dn: cn=staff,ou=groups,dc=appsintheopen,dc=com
changetype: modify
add: memberuid
memberuid: sam
dn: cn=staff,ou=groups,dc=appsintheopen,dc=com
changetype: modify
add: memberuid
memberuid: bob
dn: cn=staff,ou=groups,dc=appsintheopen,dc=com
changetype: modify
add: memberuid
memberuid: jim
dn: cn=hadoop-users,ou=groups,dc=appsintheopen,dc=com
changetype: modify
add: memberuid
memberuid: bob
dn: cn=hadoop-admin,ou=groups,dc=appsintheopen,dc=com
changetype: modify
add: memberuid
memberuid: jim
Now add the new users and groups:
$ ldapadd -x -W -D "cn=Manager,dc=appsintheopen,dc=com" -f all.ldif
Enter LDAP Password:
adding new entry "cn=staff,ou=groups,dc=appsintheopen,dc=com"
adding new entry "cn=hadooop-users,ou=groups,dc=appsintheopen,dc=com"
adding new entry "cn=hadooop-admin,ou=groups,dc=appsintheopen,dc=com"
adding new entry "uid=sam,ou=users,dc=appsintheopen,dc=com"
adding new entry "uid=bob,ou=users,dc=appsintheopen,dc=com"
adding new entry "uid=jim,ou=users,dc=appsintheopen,dc=com"
modifying entry "cn=staff,ou=groups,dc=appsintheopen,dc=com"
modifying entry "cn=staff,ou=groups,dc=appsintheopen,dc=com"
modifying entry "cn=staff,ou=groups,dc=appsintheopen,dc=com"
modifying entry "cn=hadooop-users,ou=groups,dc=appsintheopen,dc=com"
modifying entry "cn=hadooop-admin,ou=groups,dc=appsintheopen,dc=com"
Finally, you can set the password for the new users:
ldappasswd -s newpass123 -W -D "cn=Manager,dc=appsintheopen,dc=com" -x "uid=sam,ou=users,dc=appsintheopen,dc=com"
To setup another machine to authenticate with the ldap server, first install the ldap packages:
$ yum install -y openldap openldap-clients
Then you only need to run a single command and it takes care of configuring the necessary config files and processes:
$ authconfig --enableldap --enableldapauth --ldapserver=ldap://192.168.33.5:389/ --ldapbasedn="dc=appsintheopen,dc=com" --enablecache --disablefingerprint --kickstart